<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8" />
    <title>RDP (Remote Desktop Protocol)</title>
    <link rel="stylesheet" type="text/css" href="common/style.css" />
    <script language="JavaScript" type="text/javascript" src="common/script.js"></script>
  </head>
  <body>
    <h1 class="title">RDP (Remote Desktop Protocol)</h1>
      <h2 class="toc"><a href="#toc" class="collapse" id="a-toc" onclick="showhide('toc');">-</a> <a name="toc">Table of Contents</a></h2>
        <div class="toc" id="div-toc">
          <ul>
            <li><a href="#Summary">Tool Overview</a></li>
            <li><a href="#ExecCondition">Tool Operation Overview</a></li>
            <li><a href="#Findings">Information Acquired from Log</a></li>
            <li><a href="#SuccessCondition">Evidence That Can Be Confirmed When Execution is Successful</a></li>
            <li><a href="#KeyEvents">Main Information Recorded at Execution</a></li>
            <li><a href="#SourceDetails">Details: Source Host</a></li>
            <li><a href="#DestinationDetails">Details: Destination Host</a></li>
            <li><a href="#Notes">Remarks</a></li>
          </ul>
          <p class="toc_command"><a href="#" onclick="collapseall('s');">Open all sections</a> | <a href="#" onclick="collapseall('h');">Close all sections</a></p>
          <hr class="section_divider" />
        </div>
      <h2 class="section"><a href="#Summary" class="collapse" id="a-Summary" onclick="showhide('Summary');">-</a> <a name="Summary">Tool Overview</a></h2>
        <div class="section" id="div-Summary">
          <dl class="table">
            <dt class="table">Category</dt>
              <dd class="table">Remote Login</dd>
            <dt class="table">Description</dt>
              <dd class="table">Connects to a server on which Remote Desktop Service (RDS) is running.</dd>
            <dt class="table">Example of Presumed Tool Use During an Attack</dt>
              <dd class="table">This tool is used to view files on the connected host and collect information for connecting to other hosts, so that the compromised device is used as a stepping stone.</dd>
          </dl>
        </div>
      <h2 class="section"><a href="#ExecCondition" class="collapse" id="a-ExecCondition" onclick="showhide('ExecCondition');">-</a> <a name="ExecCondition">Tool Operation Overview</a></h2>
        <div class="section" id="div-ExecCondition">
          <table class="border">
            <thead>
              <tr class="border">
                <th class="border_header">Item</th>
                <th class="border_header">Source Host</th>
                <th class="border_header">Destination Host</th>
              </tr>
            </thead>
            <tbody>
              <tr class="border">
                <td class="border_header">OS</td>
                <td class="border" colspan="2">Windows</td>
              </tr>
              <tr class="border">
                <td class="border_header">Belonging to Domain</td>
                <td class="border" colspan="2">Not required</td>
              </tr>
              <tr class="border">
                <td class="border_header">Rights</td>
                <td class="border" colspan="2">Standard user</td>
              </tr>
              <tr class="border">
                <td class="border_header">Communication Protocol</td>
                <td class="border" colspan="2">3389/tcp</td>
              </tr>
              <tr class="border">
                <td class="border_header">Service</td>
                <td class="border">-</td>
                <td class="border">Remote Desktop Services, etc.</td>
              </tr>
            </tbody>
          </table>
        </div>
      <h2 class="section"><a href="#Findings" class="collapse" id="a-Findings" onclick="showhide('Findings');">-</a> <a name="Findings">Information Acquired from Log</a></h2>
        <div class="section" id="div-Findings">
          <dl class="table">
            <dt class="table">Standard Settings</dt>
              <dd class="table"><ul>
                <li>Source host<ul>
                  <li>Execution history (Prefetch)</li>
                  <li>RDP session connection start/end time and date, source host IP address, logged-in user name and account domain, and success or failure connection (Microsoft-Windows-TerminalServices-RDPClient/Operational log)</li>
                  </ul></li>
                <li>Destination Host<ul>
                  <li>RDP session connection start/end time and date, source host IP address, logged-in user name and account domain, and success or failure connection (Microsoft-Windows-TerminalServices-LocalSessionManager/Operational, Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log)</li>
                  </ul></li>
                </ul></dd>
            <dt class="table">Additional Settings</dt>
              <dd class="table"><ul>
                <li>Source host<ul>
                  <li>Execution history (audit policy, Sysmon)</li>
                  <li>Communication using 3389/tcp (audit policy, Sysmon)</li>
                  </ul></li>
                <li>Destination Host<ul>
                  <li>Communication using 3389/tcp (audit policy, Sysmon)</li>
                  </ul></li>
                </ul></dd>
          </dl>
        </div>
      <h2 class="section"><a href="#SuccessCondition" class="collapse" id="a-SuccessCondition" onclick="showhide('SuccessCondition');">-</a> <a name="SuccessCondition">Evidence That Can Be Confirmed When Execution is Successful</a></h2>
        <div class="section" id="div-SuccessCondition">
          <ul>
            <li>Destination host: The Event ID: 4624 is recorded in the event log &quot;Security&quot;.</li>
            <li>Destination host: The Event IDs: 21 and 24 are recorded in the event log &quot;Microsoft-Windows-TerminalServices-LocalSessionManager\Operational&quot;.</li>
          </ul>
        </div>
      <h2 class="section"><a href="#KeyEvents" class="collapse" id="a-KeyEvents" onclick="showhide('KeyEvents');">-</a> <a name="KeyEvents">Main Information Recorded at Execution</a></h2>
        <div class="section" id="div-KeyEvents">
          <h3 class="subsection"><a href="#KeyEvents-Source" class="collapse" id="a-KeyEvents-Source" onclick="showhide('KeyEvents-Source');">-</a> <a name="KeyEvents-Source">Source Host</a></h3>
            <div class="section" id="div-KeyEvents-Source">
              <h4>USN journal</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">File Name</th>
                      <th class="border_header">Process</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">Terminal Server Client</td>
                      <td class="border">CLOSE+FILE_CREATE</td>
                    </tr>
                    <tr class="border">
                      <td class="border">2</td>
                      <td class="border">bcache[NUM].bmc</td>
                      <td class="border">CLOSE+DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE</td>
                    </tr>
                    <tr class="border">
                      <td class="border">3</td>
                      <td class="border">Default.rdp</td>
                      <td class="border">CLOSE+DATA_EXTEND+DATA_TRUNCATION</td>
                    </tr>
                  </tbody>
                </table>
              <h4>Event log</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">Log</th>
                      <th class="border_header">Event ID</th>
                      <th class="border_header">Task Category</th>
                      <th class="border_header">Event Details</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">1</td>
                      <td class="border">Process Create (rule: ProcessCreate)</td>
                      <td class="border">Process Create.<ul>
                        <li><span class="strong">CommandLine</span>: Command line of the execution command</li>
                        <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\mstsc.exe)</li>
                        <li><span class="strong">User</span>: Execute as user</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">2</td>
                      <td class="border">Microsoft-Windows-TerminalServices-RDPClient/Operational</td>
                      <td class="border">1024</td>
                      <td class="border">Connection Sequence</td>
                      <td class="border">RDP ClientActiveX is trying to connect to the server ([Destination Host Name]).</td>
                    </tr>
                    <tr class="border">
                      <td class="border">3</td>
                      <td class="border">Security</td>
                      <td class="border">4663</td>
                      <td class="border">File System</td>
                      <td class="border">An attempt was made to access an object.<ul>
                        <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteAttributes)</li>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                        <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\mstsc.exe)</li>
                        <li><span class="strong">Object &gt; Object Name</span>: Target file name (under C:\Users\[User Name]\AppData\Local\Microsoft\Terminal Server Client)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">4</td>
                      <td class="border">Security</td>
                      <td class="border">4663</td>
                      <td class="border">File System</td>
                      <td class="border">An attempt was made to access an object.<ul>
                        <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile, AppendData)</li>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                        <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\mstsc.exe)</li>
                        <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\[User Name]\Documents\Default.rdp)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">5</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">3</td>
                      <td class="border">Network connection detected (rule: NetworkConnect)</td>
                      <td class="border">Network connection detected.<ul>
                        <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                        <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\mstsc.exe)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">User</span>: Execute as user</li>
                        <li><span class="strong">SourceIp/SourceHostname/SourcePort</span>: Source IP address/Host name/Port number</li>
                        <li><span class="strong">DestinationIp/DestinationHostname/DestinationPort</span>: Destination IP address/Host name/Port number (destination port: 3389)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">6</td>
                      <td class="border">Microsoft-Windows-TerminalServices-RDPClient/Operational</td>
                      <td class="border">1026</td>
                      <td class="border">Connection Sequence</td>
                      <td class="border">RDP ClientActiveX has been disconnected (Reason = [Reason]).<ul>
                        <li><span class="strong">Reason</span>:  (1)</li>
                        </ul></td>
                    </tr>
                  </tbody>
                </table>
              <h4>UserAssist</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">Registry</th>
                      <th class="border_header">Data</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ErzbgrQrfxgbc</td>
                      <td class="border">Date and time of the initial execution, Total number of executions</td>
                    </tr>
                  </tbody>
                </table>
              <h4>MFT</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">Path</th>
                      <th class="border_header">Header Flag</th>
                      <th class="border_header">Validity</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">[Drive Name]:\Users\[User Name]\AppData\Local\Microsoft\Terminal Server Client\Cache\bcache[NUM].bmc</td>
                      <td class="border">FILE</td>
                      <td class="border">ALLOCATED</td>
                    </tr>
                    <tr class="border">
                      <td class="border">2</td>
                      <td class="border">[Drive Name]:\Users\[User Name]\Documents\Default.rdp</td>
                      <td class="border">FILE</td>
                      <td class="border">ALLOCATED</td>
                    </tr>
                  </tbody>
                </table>
              <h4>Prefetch</h4>
                <ul>
                  <li>C:\Windows\Prefetch\MSTSC.EXE-[RANDOM].pf</li>
                </ul>
              <h4>Registry entry</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">Path</th>
                      <th class="border_header">Value</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">HKEY_USERS\[User SID]\SOFTWARE\Microsoft\Terminal Server Client\Default\MRU0</td>
                      <td class="border">[Destination Host]</td>
                    </tr>
                    <tr class="border">
                      <td class="border">2</td>
                      <td class="border">HKEY_USERS\[User SID]\SOFTWARE\Microsoft\Terminal Server Client\Servers\[Target Host]\UsernameHint</td>
                      <td class="border">[User Name]</td>
                    </tr>
                    <tr class="border">
                      <td class="border">3</td>
                      <td class="border">HKEY_USERS\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Windows.RemoteDesktop</td>
                      <td class="border">(String)</td>
                    </tr>
                    <tr class="border">
                      <td class="border">4</td>
                      <td class="border">HKEY_USERS\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ErzbgrQrfxgbc</td>
                      <td class="border">(String)</td>
                    </tr>
                  </tbody>
                </table>
            </div>
          <h3 class="subsection"><a href="#KeyEvents-Destination" class="collapse" id="a-KeyEvents-Destination" onclick="showhide('KeyEvents-Destination');">-</a> <a name="KeyEvents-Destination">Destination Host</a></h3>
            <div class="section" id="div-KeyEvents-Destination">
              <h4>Event log</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">Log</th>
                      <th class="border_header">Event ID</th>
                      <th class="border_header">Task Category</th>
                      <th class="border_header">Event Details</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">3</td>
                      <td class="border">Network connection detected (rule: NetworkConnect)</td>
                      <td class="border">Network connection detected.<ul>
                        <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                        <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">User</span>: Execute as user</li>
                        <li><span class="strong">SourceIp/SourceHostname/SourcePort</span>: Source IP address/Host name/Port number (destination port: 3389)</li>
                        <li><span class="strong">DestinationIp/DestinationHostname/DestinationPort</span>: Destination IP address/Host name/Port number</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">2</td>
                      <td class="border">Microsoft-Windows-TerminalServices-LocalSessionManager/Operational</td>
                      <td class="border">25</td>
                      <td class="border">TerminalServices-LocalSessionManager</td>
                      <td class="border">Remote Desktop Services: Session reconnection succeeded. The session is reconnected by Remote Desktop.</td>
                    </tr>
                    <tr class="border">
                      <td class="border">3</td>
                      <td class="border">Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</td>
                      <td class="border">261</td>
                      <td class="border">TerminalServices-RemoteConnectionManager</td>
                      <td class="border">Listener RDP-Tcp received a connection.</td>
                    </tr>
                    <tr class="border">
                      <td class="border">4</td>
                      <td class="border">Security</td>
                      <td class="border">4648</td>
                      <td class="border">Logon</td>
                      <td class="border">A logon was attempted using explicit credentials.<ul>
                        <li><span class="strong">Account for which Credentials were Used &gt; Account Name</span>: Specified account name</li>
                        <li><span class="strong">Subject &gt; Logon ID/Logon GUID</span>: Session ID of the user who executed the authentication</li>
                        <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs</li>
                        <li><span class="strong">Target Server &gt; Target Server Name</span>: Logon destination host name (destination host)</li>
                        <li><span class="strong">Process Information &gt; Process Name</span>: Process name that attempted the logon (C:\Windows\System32\lsass.exe)</li>
                        <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool</li>
                        <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool</li>
                        <li><span class="strong">Target Server &gt; Additional Information</span>: Additional information on the logon destination host (TERMSRV/[Destination Host])</li>
                        <li><span class="strong">Account for which Credentials were Used &gt; Account Domain</span>: Domain to which the specified account belongs</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">5</td>
                      <td class="border">Security</td>
                      <td class="border">4624</td>
                      <td class="border">Logon</td>
                      <td class="border">An account was successfully logged on.<ul>
                        <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (SYSTEM/[Destination Host]$/Domain)</li>
                        <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                        <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (User32)</li>
                        <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on</li>
                        <li><span class="strong">Logon Type</span>: Logon path, method, etc. (10=Terminal Service/Remote Desktop)</li>
                        <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon (destination host)</li>
                        <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\System32\winlogon.exe)</li>
                        <li><span class="strong">Detailed Authentication Information &gt; Authentication Package</span>: Authentication package used (Negotiate)</li>
                        <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon (source host)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">6</td>
                      <td class="border">Security</td>
                      <td class="border">4779</td>
                      <td class="border">Other Logon/Logoff Events</td>
                      <td class="border">A session was disconnected from a Window Station.<ul>
                        <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool</li>
                        <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs</li>
                        <li><span class="strong">Additional Information &gt; Client Address</span>: Execution source address (source host IP address)</li>
                        <li><span class="strong">Session &gt; Session Name</span>: Identification name of the session (RDP-Tcp#[Number])</li>
                        <li><span class="strong">Additional Information &gt; Client Name</span>: Execution source host name (source host name)</li>
                        <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who attempted registration</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">7</td>
                      <td class="border">Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</td>
                      <td class="border">1149</td>
                      <td class="border">TerminalServices-RemoteConnectionManager</td>
                      <td class="border">Remote Desktop Services: User authentication was successful.<ul>
                        <li><span class="strong">Domain</span>: User domain</li>
                        <li><span class="strong">User</span>: User who was using the session</li>
                        <li><span class="strong">Source Network Address</span>: Source host address of the session</li>
                        </ul></td>
                    </tr>
                  </tbody>
                </table>
              <h4>Prefetch</h4>
                <ul>
                  <li>C:\Windows\Prefetch\TSTHEME.EXE-[RANDOM].pf</li>
                  <li>C:\Windows\Prefetch\RDPCLIP.EXE-[RANDOM].pf</li>
                </ul>
            </div>
        </div>
        <hr class="section_divider">
      <h2 class="section"><a href="#SourceDetails" class="collapse" id="a-SourceDetails" onclick="showhide('SourceDetails');">-</a> <a name="SourceDetails">Details: Source Host</a></h2>
        <div class="section" id="div-SourceDetails">
          <h3 class="subsection"><a href="#SourceDetails-USNJournal" class="collapse" id="a-SourceDetails-USNJournal" onclick="showhide('SourceDetails-USNJournal');">-</a> <a name="SourceDetails-USNJournal">USN Journal</a></h3>
            <div class="section" id="div-SourceDetails-USNJournal">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">File Name</th>
                    <th class="border_header">Process</th>
                    <th class="border_header">Attribute</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="2">1</td>
                    <td class="border">Terminal Server Client</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">directory</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Terminal Server Client</td>
                    <td class="border">CLOSE+FILE_CREATE</td>
                    <td class="border">directory</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">2</td>
                    <td class="border">bcache[NUM].bmc</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">bcache[NUM].bmc</td>
                    <td class="border">DATA_EXTEND+FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">bcache[NUM].bmc</td>
                    <td class="border">DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">bcache[NUM].bmc</td>
                    <td class="border">CLOSE+DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">3</td>
                    <td class="border">[RANDOM].automaticDestinations-ms</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[RANDOM].automaticDestinations-ms</td>
                    <td class="border">DATA_EXTEND+FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[RANDOM].automaticDestinations-ms</td>
                    <td class="border">DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">[RANDOM].automaticDestinations-ms</td>
                    <td class="border">CLOSE+DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE</td>
                    <td class="border">archive</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">4</td>
                    <td class="border">Default.rdp</td>
                    <td class="border">DATA_TRUNCATION</td>
                    <td class="border">hidden+archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Default.rdp</td>
                    <td class="border">DATA_EXTEND+DATA_TRUNCATION</td>
                    <td class="border">hidden+archive</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Default.rdp</td>
                    <td class="border">CLOSE+DATA_EXTEND+DATA_TRUNCATION</td>
                    <td class="border">hidden+archive</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">5</td>
                    <td class="border">MSTSC.EXE-[RANDOM].pf</td>
                    <td class="border">DATA_TRUNCATION</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">MSTSC.EXE-[RANDOM].pf</td>
                    <td class="border">DATA_EXTEND+DATA_TRUNCATION</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">MSTSC.EXE-[RANDOM].pf</td>
                    <td class="border">CLOSE+DATA_EXTEND+DATA_TRUNCATION</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                </tbody>
              </table>
            </div>
          <h3 class="subsection"><a href="#SourceDetails-EventLogs" class="collapse" id="a-SourceDetails-EventLogs" onclick="showhide('SourceDetails-EventLogs');">-</a> <a name="SourceDetails-EventLogs">Event Log</a></h3>
            <div class="section" id="div-SourceDetails-EventLogs">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Event Log</th>
                    <th class="border_header">Event ID</th>
                    <th class="border_header">Task Category</th>
                    <th class="border_header">Event Details</th>
                  </tr>
                </thead>
                <tbody>
                <tr class="border">
                  <td class="border" rowspan="2">1</td>
                  <td class="border">Security</td>
                  <td class="border">4688</td>
                  <td class="border">Process Create</td>
                  <td class="border">A new process has been created.<ul>
                    <li><span class="strong">Process Information &gt; Required Label</span>: Necessity of privilege escalation (Mandatory Label\Medium Mandatory Level)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Process Information &gt; Source Process Name</span>: Path to parent process that created the new process</li>
                    <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                    <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\System32\mstsc.exe)</li>
                    <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
                    <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">1</td>
                  <td class="border">Process Create (rule: ProcessCreate)</td>
                  <td class="border">Process Create.<ul>
                    <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                    <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                    <li><span class="strong">ParentImage</span>: Executable file of the parent process</li>
                    <li><span class="strong">CurrentDirectory</span>: Work directory</li>
                    <li><span class="strong">CommandLine</span>: Command line of the execution command</li>
                    <li><span class="strong">IntegrityLevel</span>: Privilege level</li>
                    <li><span class="strong">ParentCommandLine</span>: Command line of the parent process</li>
                    <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">User</span>: Execute as user</li>
                    <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\mstsc.exe)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="1">2</td>
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">12</td>
                  <td class="border">Registry object added or deleted (rule: RegistryEvent)</td>
                  <td class="border">Registry object added or deleted.<ul>
                    <li><span class="strong">EventType</span>: Process type (CreateKey)</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\mstsc.exe)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">TargetObject</span>: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="4">3</td>
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">11</td>
                  <td class="border">File created (rule: FileCreate)</td>
                  <td class="border">File created.<ul>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\mstsc.exe)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">TargetFilename</span>: Created file (C:\Users\[User Name]\AppData\Local\Microsoft\Terminal Server Client\Cache)</li>
                    <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4656</td>
                  <td class="border">File System/Other Object Access Events</td>
                  <td class="border">A handle to an object was requested.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including SYNCHRONIZE and WriteAttributes)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Local\Microsoft\Terminal Server Client\Cache)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\mstsc.exe)</li>
                    <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4663</td>
                  <td class="border">File System</td>
                  <td class="border">An attempt was made to access an object.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteAttributes)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Local\Microsoft\Terminal Server Client\Cache)</li>
                    <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege</li>
                    <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\mstsc.exe)</li>
                    <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4658</td>
                  <td class="border">File System</td>
                  <td class="border">The handle to an object was closed.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="2">4</td>
                  <td class="border">Microsoft-Windows-TerminalServices-RDPClient/Operational</td>
                  <td class="border">1024</td>
                  <td class="border">Connection Sequence</td>
                  <td class="border">RDP ClientActiveX is trying to connect to the server ([Destination Host Name]).</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Microsoft-Windows-TerminalServices-RDPClient/Operational</td>
                <td class="border">1028</td>
                <td class="border">Connection Sequence</td>
                <td class="border">The server supports SSL = supported.</td>
            </tr>
            <tr class="border">
              <td class="border" rowspan="1">5</td>
              <td class="border">Microsoft-Windows-Sysmon/Operational</td>
              <td class="border">12</td>
              <td class="border">Registry object added or deleted (rule: RegistryEvent)</td>
              <td class="border">Registry object added or deleted.<ul>
                <li><span class="strong">EventType</span>: Process type (CreateKey)</li>
                <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\mstsc.exe)</li>
                <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                <li><span class="strong">TargetObject</span>: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters)</li>
                </ul></td>
            </tr>
            <tr class="border">
              <td class="border" rowspan="1">6</td>
              <td class="border">Microsoft-Windows-Sysmon/Operational</td>
              <td class="border">13</td>
              <td class="border">Registry value set (rule: RegistryEvent)</td>
              <td class="border">Registry value set.<ul>
                <li><span class="strong">EventType</span>: Process type (SetValue)</li>
                <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\Explorer.EXE)</li>
                <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                <li><span class="strong">Details</span>: Setting value written to the registry (Binary Data)</li>
                <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ErzbgrQrfxgbc)</li>
                </ul></td>
            </tr>
            <tr class="border">
              <td class="border" rowspan="3">7</td>
              <td class="border">Microsoft-Windows-Sysmon/Operational</td>
              <td class="border">3</td>
              <td class="border">Network connection detected (rule: NetworkConnect)</td>
              <td class="border">Network connection detected.<ul>
                <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                <li><span class="strong">DestinationIp</span>: Destination IP address (destination host IP address)</li>
                <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\mstsc.exe)</li>
                <li><span class="strong">DestinationHostname</span>: Destination host name (destination host name)</li>
                <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                <li><span class="strong">User</span>: Execute as user</li>
                <li><span class="strong">DestinationPort</span>: Destination port number (3389)</li>
                <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                </ul></td>
            </tr>
            <tr class="border">
              <!-- rowspan -->
              <td class="border">Security</td>
              <td class="border">5158</td>
              <td class="border">Filtering Platform Connection</td>
              <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\mstsc.exe)</li>
                </ul></td>
            </tr>
            <tr class="border">
              <!-- rowspan -->
              <td class="border">Security</td>
              <td class="border">5156</td>
              <td class="border">Filtering Platform Connection</td>
              <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (3389)</li>
                <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host)</li>
                <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\mstsc.exe)</li>
                <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                </ul></td>
            </tr>
            <tr class="border">
              <td class="border" rowspan="3">8</td>
              <td class="border">Security</td>
              <td class="border">4656</td>
              <td class="border">File System/Other Object Access Events</td>
              <td class="border">A handle to an object was requested.<ul>
                <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege</li>
                <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\MSTSC.EXE-[RANDOM].pf)</li>
                <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                </ul></td>
            </tr>
            <tr class="border">
              <!-- rowspan -->
              <td class="border">Security</td>
              <td class="border">4663</td>
              <td class="border">File System</td>
              <td class="border">An attempt was made to access an object.<ul>
                <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\MSTSC.EXE-[RANDOM].pf)</li>
                <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                </ul></td>
            </tr>
            <tr class="border">
              <!-- rowspan -->
              <td class="border">Security</td>
              <td class="border">4658</td>
              <td class="border">File System</td>
              <td class="border">The handle to an object was closed.<ul>
                <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                </ul></td>
            </tr>
            <tr class="border">
              <td class="border" rowspan="1">9</td>
              <td class="border">Microsoft-Windows-Sysmon/Operational</td>
              <td class="border">12</td>
              <td class="border">Registry object added or deleted (rule: RegistryEvent)</td>
              <td class="border">Registry object added or deleted.<ul>
                <li><span class="strong">EventType</span>: Process type (CreateKey)</li>
                <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\mstsc.exe)</li>
                <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                <li><span class="strong">TargetObject</span>: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL)</li>
                </ul></td>
            </tr>
        <tr class="border">
          <td class="border" rowspan="9">10</td>
          <td class="border">Microsoft-Windows-Sysmon/Operational</td>
          <td class="border">3</td>
          <td class="border">Network connection detected (rule: NetworkConnect)</td>
          <td class="border">Network connection detected.<ul>
            <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
            <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
            <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
            <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
            <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
            <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
            <li><span class="strong">DestinationPort</span>: Destination port number (88)</li>
            <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
            <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
            <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">5158</td>
          <td class="border">Filtering Platform Connection</td>
          <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
            <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
            <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
            <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
            <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">5156</td>
          <td class="border">Filtering Platform Connection</td>
          <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
            <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (88)</li>
            <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
            <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
            <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
            <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
            <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
            <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
            <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Microsoft-Windows-Sysmon/Operational</td>
          <td class="border">3</td>
          <td class="border">Network connection detected (rule: NetworkConnect)</td>
          <td class="border">Network connection detected.<ul>
            <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
            <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
            <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
            <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
            <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
            <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
            <li><span class="strong">DestinationPort</span>: Destination port number (88)</li>
            <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
            <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
            <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">5158</td>
          <td class="border">Filtering Platform Connection</td>
          <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
            <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
            <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
            <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
            <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">5156</td>
          <td class="border">Filtering Platform Connection</td>
          <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
            <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (88)</li>
            <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
            <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
            <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
            <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
            <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
            <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
            <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Microsoft-Windows-Sysmon/Operational</td>
          <td class="border">3</td>
          <td class="border">Network connection detected (rule: NetworkConnect)</td>
          <td class="border">Network connection detected.<ul>
            <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
            <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
            <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
            <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
            <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
            <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
            <li><span class="strong">DestinationPort</span>: Destination port number (88)</li>
            <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
            <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
            <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">5158</td>
          <td class="border">Filtering Platform Connection</td>
          <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
            <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
            <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
            <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
            <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">5156</td>
          <td class="border">Filtering Platform Connection</td>
          <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
            <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (88)</li>
            <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
            <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
            <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
            <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
            <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
            <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
            <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
            </ul></td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="2">11</td>
          <td class="border">Microsoft-Windows-TerminalServices-RDPClient/Operational</td>
          <td class="border">1029</td>
          <td class="border">Connection Sequence</td>
          <td class="border">Base64(SHA256(UserName)) is = [BASE64 Encoded SHA256 Hash Value of User Name]</td>
      </tr>
      <tr class="border">
        <!-- rowspan -->
        <td class="border">Microsoft-Windows-TerminalServices-RDPClient/Operational</td>
        <td class="border">1025</td>
        <td class="border">Connection Sequence</td>
        <td class="border">RDP ClientActiveX has connected to the server.</td>
    </tr>
        <tr class="border">
          <td class="border" rowspan="1">12</td>
          <td class="border">Security</td>
          <td class="border">4648</td>
          <td class="border">Logon</td>
          <td class="border">A logon was attempted using explicit credentials.<ul>
            <li><span class="strong">Process Information &gt; Process ID</span>: Process ID that attempted the logon</li>
            <li><span class="strong">Network Information &gt; Port</span>: Source Port (-)</li>
            <li><span class="strong">Account for which Credentials were Used &gt; Account Name</span>: Specified account name</li>
            <li><span class="strong">Subject &gt; Logon ID/Logon GUID</span>: Session ID of the user who executed the authentication</li>
            <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs</li>
            <li><span class="strong">Target Server &gt; Target Server Name</span>: Logon destination host name (destination host)</li>
            <li><span class="strong">Process Information &gt; Process Name</span>: Process name that attempted the logon (C:\Windows\System32\lsass.exe)</li>
            <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool</li>
            <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool</li>
            <li><span class="strong">Target Server &gt; Additional Information</span>: Additional information on the logon destination host (TERMSRV/[Destination Host])</li>
            <li><span class="strong">Account for which Credentials were Used &gt; Account Domain</span>: Domain to which the specified account belongs</li>
            <li><span class="strong">Network Information &gt; Network Address</span>: Logon source host</li>
            </ul></td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="3">13</td>
          <td class="border">Microsoft-Windows-Sysmon/Operational</td>
          <td class="border">3</td>
          <td class="border">Network connection detected (rule: NetworkConnect)</td>
          <td class="border">Network connection detected.<ul>
            <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
            <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
            <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
            <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
            <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
            <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
            <li><span class="strong">DestinationPort</span>: Destination port number (88)</li>
            <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
            <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
            <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">5158</td>
          <td class="border">Filtering Platform Connection</td>
          <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
            <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
            <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
            <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
            <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">5156</td>
          <td class="border">Filtering Platform Connection</td>
          <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
            <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (88)</li>
            <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
            <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
            <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
            <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
            <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
            <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
            <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
            </ul></td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="1">14</td>
          <td class="border">Security</td>
          <td class="border">4648</td>
          <td class="border">Logon</td>
          <td class="border">A logon was attempted using explicit credentials.<ul>
            <li><span class="strong">Process Information &gt; Process ID</span>: Process ID that attempted the logon</li>
            <li><span class="strong">Network Information &gt; Port</span>: Source Port (-)</li>
            <li><span class="strong">Account for which Credentials were Used &gt; Account Name</span>: Specified account name</li>
            <li><span class="strong">Subject &gt; Logon ID/Logon GUID</span>: Session ID of the user who executed the authentication</li>
            <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs</li>
            <li><span class="strong">Target Server &gt; Target Server Name</span>: Logon destination host name (destination host)</li>
            <li><span class="strong">Process Information &gt; Process Name</span>: Process name that attempted the logon (C:\Windows\System32\lsass.exe)</li>
            <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool</li>
            <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool</li>
            <li><span class="strong">Target Server &gt; Additional Information</span>: Additional information on the logon destination host (TERMSRV/[Destination Host])</li>
            <li><span class="strong">Account for which Credentials were Used &gt; Account Domain</span>: Domain to which the specified account belongs</li>
            <li><span class="strong">Network Information &gt; Network Address</span>: Logon source host</li>
            </ul></td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="3">15</td>
          <td class="border">Security</td>
          <td class="border">4656</td>
          <td class="border">File System/Other Object Access Events</td>
          <td class="border">A handle to an object was requested.<ul>
            <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
            <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
            <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
            <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users[User Name]\AppData\Local\Microsoft\Terminal Server Client\Cache\bcache[NUM].bmc)</li>
            <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\mstsc.exe)</li>
            <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
            <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
            <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">4663</td>
          <td class="border">File System</td>
          <td class="border">An attempt was made to access an object.<ul>
            <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
            <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile, AppendData)</li>
            <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
            <li><span class="strong">Object &gt; Object Name</span>: Target file name</li>
            <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
            <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\mstsc.exe)</li>
            <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
            <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
            <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">4658</td>
          <td class="border">File System</td>
          <td class="border">The handle to an object was closed.<ul>
            <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
            <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
            <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
            <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="4">16</td>
          <td class="border">Microsoft-Windows-Sysmon/Operational</td>
          <td class="border">11</td>
          <td class="border">File created (rule: FileCreate)</td>
          <td class="border">File created.<ul>
            <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\Explorer.EXE)</li>
            <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
            <li><span class="strong">TargetFilename</span>: Created file (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\[RANDOM].automaticDestinations-ms)</li>
            <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">4656</td>
          <td class="border">File System/Other Object Access Events</td>
          <td class="border">A handle to an object was requested.<ul>
            <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
            <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile)</li>
            <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
            <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\[RANDOM].automaticDestinations-ms)</li>
            <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\explorer.exe)</li>
            <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
            <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
            <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">4663</td>
          <td class="border">File System</td>
          <td class="border">An attempt was made to access an object.<ul>
            <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
            <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile)</li>
            <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
            <li><span class="strong">Object &gt; Object Name</span>: Target file name</li>
            <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
            <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\explorer.exe)</li>
            <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
            <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
            <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">4658</td>
          <td class="border">File System</td>
          <td class="border">The handle to an object was closed.<ul>
            <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
            <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
            <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
            <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="2">17</td>
          <td class="border">Microsoft-Windows-Sysmon/Operational</td>
          <td class="border">12</td>
          <td class="border">Registry object added or deleted (rule: RegistryEvent)</td>
          <td class="border">Registry object added or deleted.<ul>
            <li><span class="strong">EventType</span>: Process type (CreateKey)</li>
            <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\mstsc.exe)</li>
            <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
            <li><span class="strong">TargetObject</span>: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Terminal Server Client\Servers\[Target Host])</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Microsoft-Windows-Sysmon/Operational</td>
          <td class="border">13</td>
          <td class="border">Registry value set (rule: RegistryEvent)</td>
          <td class="border">Registry value set.<ul>
            <li><span class="strong">EventType</span>: Process type (SetValue)</li>
            <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\mstsc.exe)</li>
            <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
            <li><span class="strong">Details</span>: Setting value written to the registry (String:[User Name])</li>
            <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Terminal Server Client\Servers\[Target Host]\UsernameHint)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="5">18</td>
          <td class="border">Microsoft-Windows-Sysmon/Operational</td>
          <td class="border">12</td>
          <td class="border">Registry object added or deleted (rule: RegistryEvent)</td>
          <td class="border">Registry object added or deleted.<ul>
            <li><span class="strong">EventType</span>: Process type (CreateKey)</li>
            <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\Explorer.EXE)</li>
            <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
            <li><span class="strong">TargetObject</span>: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Microsoft-Windows-Sysmon/Operational</td>
          <td class="border">13</td>
          <td class="border">Registry value set (rule: RegistryEvent)</td>
          <td class="border">Registry value set.<ul>
            <li><span class="strong">EventType</span>: Process type (SetValue)</li>
            <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\Explorer.EXE)</li>
            <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
            <li><span class="strong">Details</span>: Setting value written to the registry (Binary Data)</li>
            <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumpListChangedAppIds)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Microsoft-Windows-Sysmon/Operational</td>
          <td class="border">12</td>
          <td class="border">Registry object added or deleted (rule: RegistryEvent)</td>
          <td class="border">Registry object added or deleted.<ul>
            <li><span class="strong">EventType</span>: Process type (CreateKey)</li>
            <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\Explorer.EXE)</li>
            <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
            <li><span class="strong">TargetObject</span>: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Microsoft-Windows-Sysmon/Operational</td>
          <td class="border">13</td>
          <td class="border">Registry value set (rule: RegistryEvent)</td>
          <td class="border">Registry value set.<ul>
            <li><span class="strong">EventType</span>: Process type (SetValue)</li>
            <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\Explorer.EXE)</li>
            <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
            <li><span class="strong">Details</span>: Setting value written to the registry (QWORD)</li>
            <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumpListData\Microsoft.Windows.RemoteDesktop)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Microsoft-Windows-Sysmon/Operational</td>
          <td class="border">12</td>
          <td class="border">Registry object added or deleted (rule: RegistryEvent)</td>
          <td class="border">Registry object added or deleted.<ul>
            <li><span class="strong">EventType</span>: Process type (CreateKey)</li>
            <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\mstsc.exe)</li>
            <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
            <li><span class="strong">TargetObject</span>: Registry key/value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Terminal Server Client\Default\AddIns\RDPDR)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="3">19</td>
          <td class="border">Security</td>
          <td class="border">4656</td>
          <td class="border">File System/Other Object Access Events</td>
          <td class="border">A handle to an object was requested.<ul>
            <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
            <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
            <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
            <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\[User Name]\Documents\Default.rdp)</li>
            <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\mstsc.exe)</li>
            <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
            <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
            <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">4663</td>
          <td class="border">File System</td>
          <td class="border">An attempt was made to access an object.<ul>
            <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
            <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile, AppendData)</li>
            <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
            <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\[User Name]\Documents\Default.rdp)</li>
            <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
            <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\mstsc.exe)</li>
            <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
            <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
            <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">4658</td>
          <td class="border">File System</td>
          <td class="border">The handle to an object was closed.<ul>
            <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
            <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
            <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
            <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="1">20</td>
          <td class="border">Microsoft-Windows-Sysmon/Operational</td>
          <td class="border">13</td>
          <td class="border">Registry value set (rule: RegistryEvent)</td>
          <td class="border">Registry value set.<ul>
            <li><span class="strong">EventType</span>: Process type (SetValue)</li>
            <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\mstsc.exe)</li>
            <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
            <li><span class="strong">Details</span>: Setting value written to the registry (Destination)</li>
            <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Terminal Server Client\Default\MRU0)</li>
            </ul>
            <span class="strong">Remarks</span>: The values &quot;MRU0&quot; to &quot;MRU9&quot; are available, and previously connected hosts are recorded. MRU0 indicates the last connection history.</td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="2">21</td>
          <td class="border">Microsoft-Windows-Sysmon/Operational</td>
          <td class="border">12</td>
          <td class="border">Registry object added or deleted (rule: RegistryEvent)</td>
          <td class="border">Registry object added or deleted.<ul>
            <li><span class="strong">EventType</span>: Process type (CreateKey)</li>
            <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\mstsc.exe)</li>
            <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
            <li><span class="strong">TargetObject</span>: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Terminal Server Client\Default)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Microsoft-Windows-Sysmon/Operational</td>
          <td class="border">13</td>
          <td class="border">Registry value set (rule: RegistryEvent)</td>
          <td class="border">Registry value set.<ul>
            <li><span class="strong">EventType</span>: Process type (SetValue)</li>
            <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\Explorer.EXE)</li>
            <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
            <li><span class="strong">Details</span>: Setting value written to the registry (Binary Data)</li>
            <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ErzbgrQrfxgbc)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="2">22</td>
          <td class="border">Microsoft-Windows-TerminalServices-RDPClient/Operational</td>
          <td class="border">1105</td>
          <td class="border">Connection Sequence</td>
          <td class="border">The multi-transport connection has been disconnected.</td>
      </tr>
      <tr class="border">
        <!-- rowspan -->
        <td class="border">Microsoft-Windows-TerminalServices-RDPClient/Operational</td>
        <td class="border">1026</td>
        <td class="border">Connection Sequence</td>
        <td class="border">RDP ClientActiveX has been disconnected (Reason = [Reason]).<ul>
          <li><span class="strong">Reason</span>:  1</li>
          </ul></td>
      </tr>
      <tr class="border">
        <td class="border" rowspan="2">23</td>
        <td class="border">Microsoft-Windows-Sysmon/Operational</td>
        <td class="border">5</td>
        <td class="border">Process terminated (rule: ProcessTerminate)</td>
        <td class="border">Process terminated.<ul>
          <li><span class="strong">UtcTime</span>: Process terminated date and time (UTC)</li>
          <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
          <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\mstsc.exe)</li>
          </ul></td>
      </tr>
      <tr class="border">
        <!-- rowspan -->
        <td class="border">Security</td>
        <td class="border">4689</td>
        <td class="border">Process Termination</td>
        <td class="border">A process has exited.<ul>
          <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
          <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
          <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0x0)</li>
          <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
          <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\System32\mstsc.exe)</li>
          <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
          </ul></td>
      </tr>
      </tbody>
    </table>
  </div>
<h3 class="subsection"><a href="#SourceDetails-UserAssist" class="collapse" id="a-SourceDetails-UserAssist" onclick="showhide('SourceDetails-UserAssist');">-</a> <a name="SourceDetails-UserAssist">UserAssist</a></h3>
  <div class="section" id="div-SourceDetails-UserAssist">
    <table class="border">
      <thead>
        <tr class="border">
          <th class="border_header">#</th>
          <th class="border_header">Registry entry</th>
          <th class="border_header">Information That Can Be Confirmed</th>
        </tr>
      </thead>
      <tbody>
        <tr class="border">
          <td class="border" rowspan="1">1</td>
          <td class="border">\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ErzbgrQrfxgbc</td>
          <td class="border">Date and time of the initial execution, Total number of executions</td>
        </tr>
      </tbody>
    </table>
  </div>
<h3 class="subsection"><a href="#SourceDetails-MFT" class="collapse" id="a-SourceDetails-MFT" onclick="showhide('SourceDetails-MFT');">-</a> <a name="SourceDetails-MFT">MFT</a></h3>
  <div class="section" id="div-SourceDetails-MFT">
    <table class="border">
      <thead>
        <tr class="border">
          <th class="border_header">#</th>
          <th class="border_header">Path</th>
          <th class="border_header">Header Flag</th>
          <th class="border_header">Validity</th>
        </tr>
      </thead>
      <tbody>
        <tr class="border">
          <td class="border" rowspan="3">1</td>
          <td class="border">[Drive Name]:\Users\[User Name]\AppData\Local\Microsoft\Terminal Server Client</td>
          <td class="border">FOLDER</td>
          <td class="border">ALLOCATED</td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">[Drive Name]:\Users\[User Name]\AppData\Local\Microsoft\Terminal Server Client\Cache</td>
          <td class="border">FOLDER</td>
          <td class="border">ALLOCATED</td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">[Drive Name]:\Users\[User Name]\AppData\Local\Microsoft\Terminal Server Client\Cache\bcache[NUM].bmc</td>
          <td class="border">FILE</td>
          <td class="border">ALLOCATED</td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="1">2</td>
          <td class="border">[Drive Name]:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\[RANDOM].automaticDestinations-ms</td>
          <td class="border">FILE</td>
          <td class="border">ALLOCATED</td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="1">3</td>
          <td class="border">[Drive Name]:\Users\[User Name]\Documents\Default.rdp</td>
          <td class="border">FILE</td>
          <td class="border">ALLOCATED</td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="1">4</td>
          <td class="border">[Drive Name]:\Windows\Prefetch\MSTSC.EXE-[RANDOM].pf</td>
          <td class="border">FILE</td>
          <td class="border">ALLOCATED</td>
        </tr>
      </tbody>
    </table>
  </div>
<h3 class="subsection"><a href="#SourceDetails-Prefetch" class="collapse" id="a-SourceDetails-Prefetch" onclick="showhide('SourceDetails-Prefetch');">-</a> <a name="SourceDetails-Prefetch">Prefetch</a></h3>
  <div class="section" id="div-SourceDetails-Prefetch">
    <table class="border">
      <thead>
        <tr class="border">
          <th class="border_header">#</th>
          <th class="border_header">Prefetch File</th>
          <th class="border_header">Process Name</th>
          <th class="border_header">Process Path</th>
          <th class="border_header">Information That Can Be Confirmed</th>
        </tr>
      </thead>
      <tbody>
        <tr class="border">
          <td class="border" rowspan="1">1</td>
          <td class="border">C:\Windows\Prefetch\MSTSC.EXE-[RANDOM].pf</td>
          <td class="border">MSTSC.EXE</td>
          <td class="border">C:\WINDOWS\SYSTEM32\MSTSC.EXE</td>
          <td class="border">Last Run Time (last execution date and time)</td>
        </tr>
      </tbody>
    </table>
  </div>
<h3 class="subsection"><a href="#SourceDetails-Registry" class="collapse" id="a-SourceDetails-Registry" onclick="showhide('SourceDetails-Registry');">-</a> <a name="SourceDetails-Registry">Registry Entry</a></h3>
  <div class="section" id="div-SourceDetails-Registry">
    <table class="border">
      <thead>
        <tr class="border">
          <th class="border_header">#</th>
          <th class="border_header">Path</th>
          <th class="border_header">Type</th>
          <th class="border_header">Value</th>
        </tr>
      </thead>
      <tbody>
        <tr class="border">
          <td class="border" rowspan="3">1</td>
          <td class="border">HKEY_USERS\[User SID]\SOFTWARE\Microsoft\Terminal Server Client\Default\MRU0</td>
          <td class="border">String</td>
          <td class="border">[Target Host]</td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">HKEY_USERS\[User SID]\SOFTWARE\Microsoft\Terminal Server Client\Default\AddIns</td>
          <td class="border">Key</td>
          <td class="border">(No value to be set)</td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">HKEY_USERS\[User SID]\SOFTWARE\Microsoft\Terminal Server Client\Default\AddIns\RDPDR</td>
          <td class="border">Key</td>
          <td class="border">(No value to be set)</td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="1">3</td>
          <td class="border">HKEY_USERS\[User SID]\SOFTWARE\Microsoft\Terminal Server Client\Servers\[Target Host]\UsernameHint</td>
          <td class="border">String</td>
          <td class="border">[User Name]</td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="1">4</td>
          <td class="border">HKEY_USERS\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Windows.RemoteDesktop</td>
          <td class="border">Binary</td>
          <td class="border">[Binary Value]</td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="1">5</td>
          <td class="border">HKEY_USERS\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ErzbgrQrfxgbc</td>
          <td class="border">Binary</td>
          <td class="border">[Binary Value]</td>
        </tr>
      </tbody>
    </table>
  </div>
</div>
      <h2 class="section"><a href="#DestinationDetails" class="collapse" id="a-DestinationDetails" onclick="showhide('DestinationDetails');">-</a> <a name="DestinationDetails">Details: Destination Host</a></h2>
        <div class="section" id="div-DestinationDetails">
          <h3 class="subsection"><a href="#DestinationDetails-EventLogs" class="collapse" id="a-DestinationDetails-EventLogs" onclick="showhide('DestinationDetails-EventLogs');">-</a> <a name="DestinationDetails-EventLogs">Event Log</a></h3>
            <div class="section" id="div-DestinationDetails-EventLogs">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Event Log</th>
                    <th class="border_header">Event ID</th>
                    <th class="border_header">Task Category</th>
                    <th class="border_header">Event Details</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="2">1</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (3389)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (destination host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (destination host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (3389)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Destination Address/Destination Port</span>: Destination IP address/Port number (source host)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (destination host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">2</td>
                    <td class="border">Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</td>
                    <td class="border">261</td>
                    <td class="border">TerminalServices-RemoteConnectionManager</td>
                    <td class="border">Listener RDP-Tcp received a connection.</td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="12">3</td>
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">3</td>
                  <td class="border">Network connection detected (rule: NetworkConnect)</td>
                  <td class="border">Network connection detected.<ul>
                    <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                    <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                    <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                    <li><span class="strong">DestinationPort</span>: Destination port number (88)</li>
                    <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                    <li><span class="strong">SourceHostname</span>: Source host name (destination host name)</li>
                    <li><span class="strong">SourceIp</span>: Source IP address (destination host IP address)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">5158</td>
                  <td class="border">Filtering Platform Connection</td>
                  <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                    <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                    <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                    <li><span class="strong">Application Information &gt; Process ID</span>: Process ID (4)</li>
                    <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">5156</td>
                  <td class="border">Filtering Platform Connection</td>
                  <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                    <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (88)</li>
                    <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                    <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
                    <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                    <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                    <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                    <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (destination host)</li>
                    <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">3</td>
                  <td class="border">Network connection detected (rule: NetworkConnect)</td>
                  <td class="border">Network connection detected.<ul>
                    <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                    <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                    <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                    <li><span class="strong">DestinationPort</span>: Destination port number (88)</li>
                    <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                    <li><span class="strong">SourceHostname</span>: Source host name (destination host name)</li>
                    <li><span class="strong">SourceIp</span>: Source IP address (destination host IP address)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">5158</td>
                  <td class="border">Filtering Platform Connection</td>
                  <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                    <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                    <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                    <li><span class="strong">Application Information &gt; Process ID</span>: Process ID (4)</li>
                    <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">5156</td>
                  <td class="border">Filtering Platform Connection</td>
                  <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                    <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (445)</li>
                    <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                    <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
                    <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                    <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                    <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                    <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (destination host)</li>
                    <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">3</td>
                  <td class="border">Network connection detected (rule: NetworkConnect)</td>
                  <td class="border">Network connection detected.<ul>
                    <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                    <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
                    <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                    <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID (4)</li>
                    <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                    <li><span class="strong">DestinationPort</span>: Destination port number (445)</li>
                    <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                    <li><span class="strong">SourceHostname</span>: Source host name (destination host name)</li>
                    <li><span class="strong">SourceIp</span>: Source IP address (destination host IP address)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">5158</td>
                  <td class="border">Filtering Platform Connection</td>
                  <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                    <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                    <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                    <li><span class="strong">Application Information &gt; Process ID</span>: Process ID (4)</li>
                    <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">5156</td>
                  <td class="border">Filtering Platform Connection</td>
                  <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                    <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (445)</li>
                    <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                    <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
                    <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                    <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                    <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                    <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (target host)</li>
                    <li><span class="strong">Application Information &gt; Process ID</span>: Process ID (4)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">3</td>
                  <td class="border">Network connection detected (rule: NetworkConnect)</td>
                  <td class="border">Network connection detected.<ul>
                    <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                    <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                    <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                    <li><span class="strong">DestinationPort</span>: Destination port number (88)</li>
                    <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                    <li><span class="strong">SourceHostname</span>: Source host name (destination host name)</li>
                    <li><span class="strong">SourceIp</span>: Source IP address (destination host IP address)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">5158</td>
                  <td class="border">Filtering Platform Connection</td>
                  <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                    <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                    <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                    <li><span class="strong">Application Information &gt; Process ID</span>: Process ID (4)</li>
                    <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">5156</td>
                  <td class="border">Filtering Platform Connection</td>
                  <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                    <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (88)</li>
                    <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                    <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
                    <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                    <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                    <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                    <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (destination host)</li>
                    <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="2">4</td>
                  <td class="border">Security</td>
                  <td class="border">4624</td>
                  <td class="border">Logon</td>
                  <td class="border">An account was successfully logged on.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (SYSTEM/[Destination Host]$/Domain)</li>
                    <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                    <li><span class="strong">Detailed Authentication Information &gt; Package Name (NTLM only)</span>: NTLM version (-)</li>
                    <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (User32)</li>
                    <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                    <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on</li>
                    <li><span class="strong">Logon Type</span>: Logon path, method, etc.</li>
                    <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon (destination host)</li>
                    <li><span class="strong">Detailed Authentication Information &gt; Key Length</span>: Length of the key used for the authentication (0)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\System32\winlogon.exe)</li>
                    <li><span class="strong">Detailed Authentication Information &gt; Authentication Package</span>: Authentication package used (Negotiate)</li>
                    <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon (source host)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4648</td>
                  <td class="border">Logon</td>
                  <td class="border">A logon was attempted using explicit credentials.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID that attempted the logon</li>
                    <li><span class="strong">Network Information &gt; Port</span>: Source port (high port)</li>
                    <li><span class="strong">Account for which Credentials were Used &gt; Account Name</span>: Specified account name</li>
                    <li><span class="strong">Subject &gt; Logon ID/Logon GUID</span>: Session ID of the user who executed the authentication</li>
                    <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                    <li><span class="strong">Target Server &gt; Target Server Name</span>: Logon destination host name (localhost)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Process name that attempted the logon (C:\Windows\System32\winlogon.exe)</li>
                    <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (destination host)</li>
                    <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                    <li><span class="strong">Target Server &gt; Additional Information</span>: Additional information on the logon destination host (localhost)</li>
                    <li><span class="strong">Account for which Credentials were Used &gt; Account Domain</span>: Domain to which the specified account belongs</li>
                    <li><span class="strong">Network Information &gt; Network Address</span>: Logon source host (source host)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="1">5</td>
                  <td class="border">Security</td>
                  <td class="border">4779</td>
                  <td class="border">Other Logon/Logoff Events</td>
                  <td class="border">A session was disconnected from a Window Station.<ul>
                    <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool</li>
                    <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs</li>
                    <li><span class="strong">Additional Information &gt; Client Address</span>: Execution source address (local)</li>
                    <li><span class="strong">Session &gt; Session Name</span>: Identification name of the session (Console)</li>
                    <li><span class="strong">Additional Information &gt; Client Name</span>: Execution source host name (Unknown)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who attempted registration</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="1">6</td>
                  <td class="border">Microsoft-Windows-TerminalServices-LocalSessionManager/Operational</td>
                  <td class="border">24</td>
                  <td class="border">TerminalServices-LocalSessionManager</td>
                  <td class="border">Remote Desktop Services: Session has been disconnected.<ul>
                    <li><span class="strong">User</span>: User who was using the session</li>
                    <li><span class="strong">Source Network Address</span>: Source host address of the session (local)</li>
                    <li><span class="strong">Session ID</span>: ID of the session</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="2">7</td>
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">1</td>
                  <td class="border">Process Create (rule: ProcessCreate)</td>
                  <td class="border">Process Create.<ul>
                    <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                    <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                    <li><span class="strong">ParentImage</span>: Executable file of the parent process (C:\Windows\System32\svchost.exe)</li>
                    <li><span class="strong">CurrentDirectory</span>: Work directory (C:\Windows\system32\)</li>
                    <li><span class="strong">CommandLine</span>: Command line of the execution command (C:\Windows\system32\TSTheme.exe -Embedding)</li>
                    <li><span class="strong">IntegrityLevel</span>: Privilege level (Medium)</li>
                    <li><span class="strong">ParentCommandLine</span>: Command line of the parent process (C:\Windows\system32\svchost.exe -k DcomLaunch)</li>
                    <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">User</span>: Execute as user</li>
                    <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\TSTheme.exe)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4688</td>
                  <td class="border">Process Create</td>
                  <td class="border">A new process has been created.<ul>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                    <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\System32\TSTheme.exe)</li>
                    <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
                    <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="8">8</td>
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">12</td>
                  <td class="border">Registry object added or deleted (rule: RegistryEvent)</td>
                  <td class="border">Registry object added or deleted.<ul>
                    <li><span class="strong">EventType</span>: Process type (CreateKey)</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\TSTheme.exe)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">TargetObject</span>: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\Explorer\Remote\1)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">13</td>
                  <td class="border">Registry value set (rule: RegistryEvent)</td>
                  <td class="border">Registry value set.<ul>
                    <li><span class="strong">EventType</span>: Process type (SetValue)</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\TSTheme.exe)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">Details</span>: Setting value written to the registry (DWORD)</li>
                    <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\Explorer\Remote\1\TaskbarAnimations)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">12</td>
                  <td class="border">Registry object added or deleted (rule: RegistryEvent)</td>
                  <td class="border">Registry object added or deleted.<ul>
                    <li><span class="strong">EventType</span>: Process type (CreateKey)</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\TSTheme.exe)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">TargetObject</span>: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\Remote\1\Control Panel\Desktop)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">13</td>
                  <td class="border">Registry value set (rule: RegistryEvent)</td>
                  <td class="border">Registry value set.<ul>
                    <li><span class="strong">EventType</span>: Process type (SetValue)</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\TSTheme.exe)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">Details</span>: Setting value written to the registry (0)</li>
                    <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\USER\[User SID]\Remote\1\Control Panel\Desktop\DragFullWindows)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">13</td>
                  <td class="border">Registry value set (rule: RegistryEvent)</td>
                  <td class="border">Registry value set.<ul>
                    <li><span class="strong">EventType</span>: Process type (SetValue)</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\TSTheme.exe)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">Details</span>: Setting value written to the registry (0)</li>
                    <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\USER\[User SID]\Remote\1\Control Panel\Desktop\SmoothScroll)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">13</td>
                  <td class="border">Registry value set (rule: RegistryEvent)</td>
                  <td class="border">Registry value set.<ul>
                    <li><span class="strong">EventType</span>: Process type (SetValue)</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\TSTheme.exe)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">Details</span>: Setting value written to the registry (0)</li>
                    <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\USER\[User SID]\Remote\1\Control Panel\Desktop\FontSmoothing)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">13</td>
                  <td class="border">Registry value set (rule: RegistryEvent)</td>
                  <td class="border">Registry value set.<ul>
                    <li><span class="strong">EventType</span>: Process type (SetValue)</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\TSTheme.exe)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">Details</span>: Setting value written to the registry (0)</li>
                    <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\USER\[User SID]\Remote\1\Control Panel\Desktop\FontSmoothingType)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">13</td>
                  <td class="border">Registry value set (rule: RegistryEvent)</td>
                  <td class="border">Registry value set.<ul>
                    <li><span class="strong">EventType</span>: Process type (SetValue)</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\TSTheme.exe)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">Details</span>: Setting value written to the registry (0)</li>
                    <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\USER\[User SID]\Remote\1\Control Panel\Desktop\UserPreferencesMask)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="3">9</td>
                  <td class="border">Security</td>
                  <td class="border">4656</td>
                  <td class="border">File System/Other Object Access Events</td>
                  <td class="border">A handle to an object was requested.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\AppCompat\Programs\RecentFileCache.bcf)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle</li>
                    <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4663</td>
                  <td class="border">File System</td>
                  <td class="border">An attempt was made to access an object.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile, AppendData)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\AppCompat\Programs\RecentFileCache.bcf)</li>
                    <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                    <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4658</td>
                  <td class="border">File System</td>
                  <td class="border">The handle to an object was closed.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="1">10</td>
                  <td class="border">Security</td>
                  <td class="border">4778</td>
                  <td class="border">Other Logon/Logoff Events</td>
                  <td class="border">A session was reconnected to a Window Station.<ul>
                    <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool</li>
                    <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs</li>
                    <li><span class="strong">Additional Information &gt; Client Address</span>: Execution source address (source host IP address)</li>
                    <li><span class="strong">Session &gt; Session Name</span>: Identification name of the session (RDP-Tcp#[Number])</li>
                    <li><span class="strong">Additional Information &gt; Client Name</span>: Execution source host name (source host name)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who attempted registration</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="1">11</td>
                  <td class="border">Microsoft-Windows-TerminalServices-LocalSessionManager/Operational</td>
                  <td class="border">25</td>
                  <td class="border">TerminalServices-LocalSessionManager</td>
                  <td class="border">Remote Desktop Services: Session reconnection successful.<ul>
                    <li><span class="strong">User</span>: User who was using the session</li>
                      <li><span class="strong">Source Network Address</span>: Source host address of the session (source host)</li>
                    <li><span class="strong">Session ID</span>: ID of the session</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="2">12</td>
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">1</td>
                  <td class="border">Process Create (rule: ProcessCreate)</td>
                  <td class="border">Process Create.<ul>
                    <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                    <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                    <li><span class="strong">ParentImage</span>: Executable file of the parent process (C:\Windows\System32\svchost.exe)</li>
                    <li><span class="strong">CurrentDirectory</span>: Work directory (C:\Windows\system32)</li>
                    <li><span class="strong">CommandLine</span>: Command line of the execution command (rdpclip)</li>
                    <li><span class="strong">IntegrityLevel</span>: Privilege level (Medium)</li>
                    <li><span class="strong">ParentCommandLine</span>: Command line of the parent process (C:\Windows\system32\svchost.exe -k NetworkService)</li>
                    <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">User</span>: Execute as user</li>
                    <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\rdpclip.exe)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4688</td>
                  <td class="border">Process Create</td>
                  <td class="border">A new process has been created.<ul>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                    <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\System32\rdpclip.exe)</li>
                    <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
                    <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="3">13</td>
                  <td class="border">Security</td>
                  <td class="border">4656</td>
                  <td class="border">File System/Other Object Access Events</td>
                  <td class="border">A handle to an object was requested.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\AppCompat\Programs\RecentFileCache.bcf)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle</li>
                    <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4663</td>
                  <td class="border">File System</td>
                  <td class="border">An attempt was made to access an object.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile, AppendData)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\AppCompat\Programs\RecentFileCache.bcf)</li>
                    <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                    <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4658</td>
                  <td class="border">File System</td>
                  <td class="border">The handle to an object was closed.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="1">14</td>
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">12</td>
                  <td class="border">Registry object added or deleted (rule: RegistryEvent)</td>
                  <td class="border">Registry object added or deleted.<ul>
                    <li><span class="strong">EventType</span>: Process type (CreateKey)</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\system32\svchost.exe)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">TargetObject</span>: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="1">15</td>
                  <td class="border">Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</td>
                  <td class="border">1149</td>
                  <td class="border">TerminalServices-RemoteConnectionManager</td>
                  <td class="border">Remote Desktop Services: User authentication was successful.<ul>
                    <li><span class="strong">Domain</span>: User domain</li>
                    <li><span class="strong">User</span>: User who was using the session</li>
                    <li><span class="strong">Source Network Address</span>: Source host address of the session</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="2">16</td>
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">5</td>
                  <td class="border">Process terminated (rule: ProcessTerminate)</td>
                  <td class="border">Process terminated.<ul>
                    <li><span class="strong">UtcTime</span>: Process terminated date and time (UTC)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\TSTheme.exe)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4689</td>
                  <td class="border">Process Termination</td>
                  <td class="border">A process has exited.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0x0)</li>
                    <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\System32\TSTheme.exe)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="4">17</td>
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">11</td>
                  <td class="border">File created (rule: FileCreate)</td>
                  <td class="border">File created.<ul>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">TargetFilename</span>: Created file (C:\Windows\Prefetch\TSTHEME.EXE-[RANDOM].pf)</li>
                    <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4656</td>
                  <td class="border">File System/Other Object Access Events</td>
                  <td class="border">A handle to an object was requested.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\TSTHEME.EXE-[RANDOM].pf)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle</li>
                    <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4663</td>
                  <td class="border">File System</td>
                  <td class="border">An attempt was made to access an object.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile, AppendData)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\TSTHEME.EXE-[RANDOM].pf)</li>
                    <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                    <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4658</td>
                  <td class="border">File System</td>
                  <td class="border">The handle to an object was closed.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="4">18</td>
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">11</td>
                  <td class="border">File created (rule: FileCreate)</td>
                  <td class="border">File created.<ul>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">TargetFilename</span>: Created file (C:\Windows\Prefetch\RDPCLIP.EXE-[RANDOM].pf)</li>
                    <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4656</td>
                  <td class="border">File System/Other Object Access Events</td>
                  <td class="border">A handle to an object was requested.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\RDPCLIP.EXE-[RANDOM].pf)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle</li>
                    <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4663</td>
                  <td class="border">File System</td>
                  <td class="border">An attempt was made to access an object.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile, AppendData)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\RDPCLIP.EXE-[RANDOM].pf)</li>
                    <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                    <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4658</td>
                  <td class="border">File System</td>
                  <td class="border">The handle to an object was closed.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="2">19</td>
                  <td class="border">Security</td>
                  <td class="border">4779</td>
                  <td class="border">Other Logon/Logoff Events</td>
                  <td class="border">A session was disconnected from a Window Station.<ul>
                    <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool</li>
                    <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs</li>
                    <li><span class="strong">Additional Information &gt; Client Address</span>: Execution source address (source host IP address)</li>
                    <li><span class="strong">Session &gt; Session Name</span>: Identification name of the session (RDP-Tcp#[Number])</li>
                    <li><span class="strong">Additional Information &gt; Client Name</span>: Execution source host name (source host name)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who attempted registration</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-TerminalServices-LocalSessionManager/Operational</td>
                  <td class="border">24</td>
                  <td class="border">TerminalServices-LocalSessionManager</td>
                  <td class="border">Remote Desktop Services: Session has been disconnected.<ul>
                    <li><span class="strong">User</span>: User who was using the session</li>
                    <li><span class="strong">Source Network Address</span>: Source host address of the session (source host)</li>
                    <li><span class="strong">Session ID</span>: ID of the session</li>
                    </ul></td>
                </tr>
              </tbody>
            </table>
          </div>
        <h3 class="subsection"><a href="#DestinationDetails-USNJournal" class="collapse" id="a-DestinationDetails-USNJournal" onclick="showhide('DestinationDetails-USNJournal');">-</a> <a name="DestinationDetails-USNJournal">USN Journal</a></h3>
          <div class="section" id="div-DestinationDetails-USNJournal">
            <table class="border">
              <thead>
                <tr class="border">
                  <th class="border_header">#</th>
                  <th class="border_header">File Name</th>
                  <th class="border_header">Process</th>
                  <th class="border_header">Attribute</th>
                </tr>
              </thead>
              <tbody>
                <tr class="border">
                  <td class="border" rowspan="3">1</td>
                  <td class="border">RecentFileCache.bcf</td>
                  <td class="border">DATA_EXTEND</td>
                  <td class="border">system+archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">RecentFileCache.bcf</td>
                  <td class="border">DATA_EXTEND+DATA_OVERWRITE</td>
                  <td class="border">system+archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">RecentFileCache.bcf</td>
                  <td class="border">CLOSE+DATA_EXTEND+DATA_OVERWRITE</td>
                  <td class="border">system+archive</td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="8">2</td>
                  <td class="border">tsprint.dll</td>
                  <td class="border">FILE_CREATE</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint.dll</td>
                  <td class="border">DATA_EXTEND+FILE_CREATE</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint.dll</td>
                  <td class="border">BASIC_INFO_CHANGE+DATA_EXTEND+FILE_CREATE</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint.dll</td>
                  <td class="border">BASIC_INFO_CHANGE+CLOSE+DATA_EXTEND+FILE_CREATE</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint.dll</td>
                  <td class="border">RENAME_OLD_NAME</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint.dll</td>
                  <td class="border">RENAME_NEW_NAME</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint.dll</td>
                  <td class="border">CLOSE+RENAME_NEW_NAME</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint.dll</td>
                  <td class="border">CLOSE+FILE_DELETE</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="8">3</td>
                  <td class="border">tsprint-datafile.dat</td>
                  <td class="border">FILE_CREATE</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint-datafile.dat</td>
                  <td class="border">DATA_EXTEND+FILE_CREATE</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint-datafile.dat</td>
                  <td class="border">BASIC_INFO_CHANGE+DATA_EXTEND+FILE_CREATE</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint-datafile.dat</td>
                  <td class="border">BASIC_INFO_CHANGE+CLOSE+DATA_EXTEND+FILE_CREATE</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint-datafile.dat</td>
                  <td class="border">RENAME_OLD_NAME</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint-datafile.dat</td>
                  <td class="border">RENAME_NEW_NAME</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint-datafile.dat</td>
                  <td class="border">CLOSE+RENAME_NEW_NAME</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint-datafile.dat</td>
                  <td class="border">CLOSE+FILE_DELETE</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="8">4</td>
                  <td class="border">tsprint-PipelineConfig.xml</td>
                  <td class="border">FILE_CREATE</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint-PipelineConfig.xml</td>
                  <td class="border">DATA_EXTEND+FILE_CREATE</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint-PipelineConfig.xml</td>
                  <td class="border">BASIC_INFO_CHANGE+DATA_EXTEND+FILE_CREATE</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint-PipelineConfig.xml</td>
                  <td class="border">BASIC_INFO_CHANGE+CLOSE+DATA_EXTEND+FILE_CREATE</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint-PipelineConfig.xml</td>
                  <td class="border">RENAME_OLD_NAME</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint-PipelineConfig.xml</td>
                  <td class="border">RENAME_NEW_NAME</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint-PipelineConfig.xml</td>
                  <td class="border">CLOSE+RENAME_NEW_NAME</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">tsprint-PipelineConfig.xml</td>
                  <td class="border">CLOSE+FILE_DELETE</td>
                  <td class="border">archive</td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="3">5</td>
                  <td class="border">TSTHEME.EXE-[RANDOM].pf</td>
                  <td class="border">FILE_CREATE</td>
                  <td class="border">archive+not_indexed</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">TSTHEME.EXE-[RANDOM].pf</td>
                  <td class="border">DATA_EXTEND+FILE_CREATE</td>
                  <td class="border">archive+not_indexed</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">TSTHEME.EXE-[RANDOM].pf</td>
                  <td class="border">CLOSE+DATA_EXTEND+FILE_CREATE</td>
                  <td class="border">archive+not_indexed</td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="3">6</td>
                  <td class="border">RDPCLIP.EXE-[RANDOM].pf</td>
                  <td class="border">FILE_CREATE</td>
                  <td class="border">archive+not_indexed</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">RDPCLIP.EXE-[RANDOM].pf</td>
                  <td class="border">DATA_EXTEND+FILE_CREATE</td>
                  <td class="border">archive+not_indexed</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">RDPCLIP.EXE-[RANDOM].pf</td>
                  <td class="border">CLOSE+DATA_EXTEND+FILE_CREATE</td>
                  <td class="border">archive+not_indexed</td>
                </tr>
              </tbody>
            </table>
          </div>
        <h3 class="subsection"><a href="#DestinationDetails-Prefetch" class="collapse" id="a-DestinationDetails-Prefetch" onclick="showhide('DestinationDetails-Prefetch');">-</a> <a name="DestinationDetails-Prefetch">Prefetch</a></h3>
          <div class="section" id="div-DestinationDetails-Prefetch">
            <table class="border">
              <thead>
                <tr class="border">
                  <th class="border_header">#</th>
                  <th class="border_header">Prefetch File</th>
                  <th class="border_header">Process Name</th>
                  <th class="border_header">Process Path</th>
                  <th class="border_header">Information That Can Be Confirmed</th>
                </tr>
              </thead>
              <tbody>
                <tr class="border">
                  <td class="border" rowspan="1">1</td>
                  <td class="border">C:\Windows\Prefetch\TSTHEME.EXE-[RANDOM].pf</td>
                  <td class="border">TSTHEME.EXE</td>
                  <td class="border">C:\WINDOWS\SYSTEM32\TSTHEME.EXE</td>
                  <td class="border">Last Run Time (last execution date and time)</td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="1">2</td>
                  <td class="border">C:\Windows\Prefetch\RDPCLIP.EXE-[RANDOM].pf</td>
                  <td class="border">RDPCLIP.EXE</td>
                  <td class="border">C:\WINDOWS\SYSTEM32\RDPCLIP.EXE</td>
                  <td class="border">Last Run Time (last execution date and time)</td>
                </tr>
              </tbody>
            </table>
          </div>
        <h3 class="subsection"><a href="#DestinationDetails-Registry" class="collapse" id="a-DestinationDetails-Registry" onclick="showhide('DestinationDetails-Registry');">-</a> <a name="DestinationDetails-Registry">Registry Entry</a></h3>
          <div class="section" id="div-DestinationDetails-Registry">
            <table class="border">
              <thead>
                <tr class="border">
                  <th class="border_header">#</th>
                  <th class="border_header">Path</th>
                  <th class="border_header">Type</th>
                  <th class="border_header">Value</th>
                </tr>
              </thead>
              <tbody>
                <tr class="border">
                  <td class="border" rowspan="2">1</td>
                  <td class="border">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows x64\DriverPackages\tsprint.inf_amd64_neutral_c48d421ad2c1e3e3\DriverStorePath</td>
                  <td class="border">String</td>
                  <td class="border">C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_neutral_c48d421ad2c1e3e3\tsprint.inf</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows x64\DriverPackages\tsprint.inf_amd64_neutral_c48d421ad2c1e3e3\CabPath</td>
                  <td class="border">String</td>
                  <td class="border">C:\Windows\system32\spool\DRIVERS\x64\PCC\tsprint.inf_amd64_neutral_c48d421ad2c1e3e3.cab</td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="3">2</td>
                  <td class="border">HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows x64\DriverPackages\tsprint.inf_amd64_neutral_c48d421ad2c1e3e3</td>
                  <td class="border">Key</td>
                  <td class="border">(No value to be set)</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows x64\DriverPackages\tsprint.inf_amd64_neutral_c48d421ad2c1e3e3\DriverStorePath</td>
                  <td class="border">String</td>
                  <td class="border">C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_neutral_c48d421ad2c1e3e3\tsprint.inf</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows x64\DriverPackages\tsprint.inf_amd64_neutral_c48d421ad2c1e3e3\CabPath</td>
                  <td class="border">String</td>
                  <td class="border">C:\Windows\system32\spool\DRIVERS\x64\PCC\tsprint.inf_amd64_neutral_c48d421ad2c1e3e3.cab</td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="26">3</td>
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\DeviceInstance</td>
                  <td class="border">String</td>
                  <td class="border">Root\RDPBUS\0000</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS001\SymbolicLink</td>
                  <td class="border">String</td>
                  <td class="border">\\?\Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\TS001</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS001\Device Parameters\Port Number</td>
                  <td class="border">DWORD</td>
                  <td class="border">0x00000001</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS001\Device Parameters\Base Name</td>
                  <td class="border">String</td>
                  <td class="border">TS</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS001\Device Parameters\Port Description</td>
                  <td class="border">String</td>
                  <td class="border">Inactive TS Port</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS001\Device Parameters\MaxBufferSize</td>
                  <td class="border">DWORD</td>
                  <td class="border">0x00000000</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS001\Device Parameters\Client Device Name</td>
                  <td class="border">String</td>
                  <td class="border">\;PRN3:1\tsclient\PRN3</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS001\Device Parameters\recyclable</td>
                  <td class="border">Binary</td>
                  <td class="border">(No value to be set)</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS001\Control\Linked</td>
                  <td class="border">DWORD</td>
                  <td class="border">0x00000000</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS002\SymbolicLink</td>
                  <td class="border">String</td>
                  <td class="border">\\?\Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\TS002</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS002\Device Parameters\Port Number</td>
                  <td class="border">DWORD</td>
                  <td class="border">0x00000002</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS002\Device Parameters\Base Name</td>
                  <td class="border">String</td>
                  <td class="border">TS</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS002\Device Parameters\Port Description</td>
                  <td class="border">String</td>
                  <td class="border">Inactive TS Port</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS002\Device Parameters\MaxBufferSize</td>
                  <td class="border">DWORD</td>
                  <td class="border">0x00000000</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS002\Device Parameters\Client Device Name</td>
                  <td class="border">String</td>
                  <td class="border">\;PRN4:1\tsclient\PRN4</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS002\Device Parameters\recyclable</td>
                  <td class="border">Binary</td>
                  <td class="border">(No value to be set)</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS002\Control\Linked</td>
                  <td class="border">DWORD</td>
                  <td class="border">0x00000000</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS003\SymbolicLink</td>
                  <td class="border">String</td>
                  <td class="border">\\?\Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\TS003</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS003\Device Parameters\Port Number</td>
                  <td class="border">DWORD</td>
                  <td class="border">0x00000003</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS003\Device Parameters\Base Name</td>
                  <td class="border">String</td>
                  <td class="border">TS</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS003\Device Parameters\Port Description</td>
                  <td class="border">String</td>
                  <td class="border">Inactive TS Port</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS003\Device Parameters\MaxBufferSize</td>
                  <td class="border">DWORD</td>
                  <td class="border">0x00000000</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS003\Device Parameters\Client Device Name</td>
                  <td class="border">String</td>
                  <td class="border">\;PRN2:1\tsclient\PRN2</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS003\Device Parameters\recyclable</td>
                  <td class="border">Binary</td>
                  <td class="border">(No value to be set)</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\#TS003\Control\Linked</td>
                  <td class="border">DWORD</td>
                  <td class="border">0x00000000</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\##?#Root#RDPBUS#0000#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}\Control\ReferenceCount</td>
                  <td class="border">DWORD</td>
                  <td class="border">0x00000000</td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="25">4</td>
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\Dependent Files</td>
                  <td class="border">String</td>
                  <td class="border">tsprint-PipelineConfig.xml</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\Configuration File</td>
                  <td class="border">String</td>
                  <td class="border">tsprint.dll</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\Data File</td>
                  <td class="border">String</td>
                  <td class="border">tsprint-datafile.dat</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\Driver</td>
                  <td class="border">String</td>
                  <td class="border">mxdwdrv.dll</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\Help File</td>
                  <td class="border">String</td>
                  <td class="border">(No value to be set)</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\Monitor</td>
                  <td class="border">String</td>
                  <td class="border">(No value to be set)</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\Datatype</td>
                  <td class="border">String</td>
                  <td class="border">(No value to be set)</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\Previous Names</td>
                  <td class="border">String</td>
                  <td class="border">(No value to be set)</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\Version</td>
                  <td class="border">DWORD</td>
                  <td class="border">0x00000003</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\TempDir</td>
                  <td class="border">DWORD</td>
                  <td class="border">0x00000000</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\Attributes</td>
                  <td class="border">DWORD</td>
                  <td class="border">0x00000002</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\Manufacturer</td>
                  <td class="border">String</td>
                  <td class="border">Microsoft</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\OEM URL</td>
                  <td class="border">String</td>
                  <td class="border">(No value to be set)</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\HardwareID</td>
                  <td class="border">String</td>
                  <td class="border">(No value to be set)</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\Provider</td>
                  <td class="border">String</td>
                  <td class="border">Microsoft Remote Desktop Services</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\Print Processor</td>
                  <td class="border">String</td>
                  <td class="border">winprint</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\VendorSetup</td>
                  <td class="border">String</td>
                  <td class="border">(No value to be set)</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\ColorProfiles</td>
                  <td class="border">String</td>
                  <td class="border">(No value to be set)</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\InfPath</td>
                  <td class="border">String</td>
                  <td class="border">C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_neutral_c48d421ad2c1e3e3\tsprint.inf</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\PrinterDriverAttributes</td>
                  <td class="border">DWORD</td>
                  <td class="border">0x00000001</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\CoreDependencies</td>
                  <td class="border">String</td>
                  <td class="border">([GUID])</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\DriverDate</td>
                  <td class="border">String</td>
                  <td class="border">[Driver Update Date and Time]</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\DriverVersion</td>
                  <td class="border">String</td>
                  <td class="border">[Version Number]</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\MinInboxDriverVerDate</td>
                  <td class="border">String</td>
                  <td class="border">01/01/1601</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Drivers\Version-3\Remote Desktop Easy Print\MinInboxDriverVerVersion</td>
                  <td class="border">String</td>
                  <td class="border">0.0.0.0</td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="2">5</td>
                  <td class="border">HKEY_USERS\[User SID]\Software\Microsoft\Windows\CurrentVersion\Explorer\Remote</td>
                  <td class="border">Key</td>
                  <td class="border">(No value to be set)</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_USERS\[User SID]\Remote</td>
                  <td class="border">Key</td>
                  <td class="border">(No value to be set)</td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="4">6</td>
                  <td class="border">HKEY_USERS\[User SID]\Software\Classes\Local Settings\MuiCache\1\826182D0\@%systemroot%\system32\rdpendp.dll,-1001</td>
                  <td class="border">String</td>
                  <td class="border">Remote Audio</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_USERS\[User SID]\Software\Classes\Local Settings\MuiCache\1\826182D0\@%systemroot%\system32\rdpendp.dll,-1002</td>
                  <td class="border">String</td>
                  <td class="border">(No value to be set)</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_USERS\[User SID]_Classes\Local Settings\MuiCache\1\826182D0\@%systemroot%\system32\rdpendp.dll,-1001</td>
                  <td class="border">String</td>
                  <td class="border">Remote Audio</td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">HKEY_USERS\[User SID]_Classes\Local Settings\MuiCache\1\826182D0\@%systemroot%\system32\rdpendp.dll,-1002</td>
                  <td class="border">String</td>
                  <td class="border">(No value to be set)</td>
                </tr>
              </tbody>
            </table>
          </div>
      </div>
        <hr class="section_divider">
      <h2 class="section"><a href="#Notes" class="collapse" id="a-Notes" onclick="showhide('Notes');">-</a> <a name="Notes">Remarks</a></h2>
        <div class="section" id="div-Notes">
          <ul>
            <li>When connecting to the destination for the first time, a printer driver is installed.</li>
            <li>Although communication packets can be observed at 3389/tcp, their content is encrypted. Note that port numbers to be used can be changed with registry entry settings at the destination.</li>
          </ul>
        </div>
  </body>
</html>
